ClawHub

Software Data Excel Chart Developer Helper

Security checks across malware telemetry and agentic risk

Overview

This appears to be a normal Excel report automation skill, with some broad auto-activation wording that users should be aware of before relying on it.

Install only if you want an agent to help create or repair Excel workbooks and reports. Keep copies of important spreadsheets before allowing edits, and confirm the exact files and outputs when the skill is invoked for broad Excel-related requests.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (7)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger sentences are malformed, overly generic, and include broad phrasing that could cause accidental or inappropriate activation of the skill. In an agentic system, ambiguous activation logic can route unrelated user requests into spreadsheet automation workflows, increasing the chance of unsafe file handling, unintended Office automation, or execution of workbook-related actions in the wrong context.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrases are broad, awkwardly templated, and likely to match generic user requests about Excel help rather than a narrowly scoped skill invocation. This increases the chance of unintended activation, causing the agent to apply this skill in the wrong context and potentially mishandle user intent or workflow selection.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The skill description activates on very broad topic phrases like Excel reporting, charts, dashboards, and implementation support without strong boundaries on when the skill should or should not be used. This can cause the agent to invoke the skill for routine spreadsheet requests outside its intended niche, leading to scope confusion, inappropriate tool use, or accidental handling of adjacent tasks with different security or correctness requirements.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The listed keywords and example triggers are generic terms commonly present in ordinary Excel conversations, such as dashboard, conditional formatting, print area, and export pdf. Because these are broad and lack gating conditions, the skill may activate too often and steer the agent into this workflow even when another safer or more appropriate skill should handle the request.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The default prompt and short description are broad enough to match many ordinary Excel-related requests, which increases the chance this skill is invoked outside a narrowly intended scope. Because the skill can build, repair, and export workbooks while preserving formulas and layout, over-broad routing could cause unintended file manipulation or expose workbook contents to an unnecessary agent path.

Vague Triggers

Medium
Confidence
94% confidence
Finding
Enabling implicit invocation without trigger constraints allows the platform to auto-select this skill for loosely related workbook requests, even when the user did not clearly ask for report-building or automation behavior. In this context, the skill is capable of modifying files, formulas, print settings, and export flows, so broad automatic routing increases the risk of unintended actions on user workbooks and mis-scoped handling of sensitive report data.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger sentences are overly broad and resemble ordinary user phrasing, which can cause the skill to activate in contexts where the user did not explicitly intend to invoke it. In an agent system, this creates prompt-routing ambiguity and can lead to inappropriate skill selection, unintended access to workbook-related workflows, or confusion that degrades safety boundaries.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal